We survey the notion of provably secure searchable encryption (SE) by giving a complete and comprehensive overview of the two main SE techniques: searchable symmetric encryption (SSE) and public key ...encryption with keyword search (PEKS). Since the pioneering work of Song, Wagner, and Perrig (IEEE S&P '00), the field of provably secure SE has expanded to the point where we felt that taking stock would provide benefit to the community. The survey has been written primarily for the nonspecialist who has a basic information security background. Thus, we sacrifice full details and proofs of individual constructions in favor of an overview of the underlying key techniques. We categorize and compare the different SE schemes in terms of their security, efficiency, and functionality. For the experienced researcher, we point out connections between the many approaches to SE and identify open research problems. Two major conclusions can be drawn from our work. While the so-called IND-CKA2 security notion becomes prevalent in the literature and efficient (sublinear) SE schemes meeting this notion exist in the symmetric setting, achieving this strong form of security efficiently in the asymmetric setting remains an open problem. We observe that in multirecipient SE schemes, regardless of their efficiency drawbacks, there is a noticeable lack of query expressiveness that hinders deployment in practice.
•Experimental research into the ‘privacy paradox’ is still comparatively rare.•This study focuses on observing actual behavior.•Neither technical knowledge nor money prevent from paradoxical ...behavior.•Privacy is not rated overly important in the evaluation of an app’s desirability.•Functionality, design and its perceived cost-to-benefit outweigh privacy concerns.
Research shows that people’s use of computers and mobile phones is often characterized by a privacy paradox: Their self-reported concerns about their online privacy appear to be in contradiction with their often careless online behaviors. Earlier research into the privacy paradox has a number of caveats. Most studies focus on intentions rather than behavior and the influence of technical knowledge, privacy awareness, and financial resources is not systematically ruled out. This study therefore tests the privacy paradox under extreme circumstances, focusing on actual behavior and eliminating the effects of a lack of technical knowledge, privacy awareness, and financial resources. We designed an experiment on the downloading and usage of a mobile phone app among technically savvy students, giving them sufficient money to buy a paid-for app. Results suggest that neither technical knowledge and privacy awareness nor financial considerations affect the paradoxical behavior observed in users in general. Technically-skilled and financially independent users risked potential privacy intrusions despite their awareness of potential risks. In their considerations for selecting and downloading an app, privacy aspects did not play a significant role; functionality, app design, and costs appeared to outweigh privacy concerns.
Research on deception detection has usually been executed in experimental settings in the laboratory. In contrast, the present research investigates deception detection by actual victims and near ...victims of fraud, as reported in their own words.
Our study is based on a nationally representative survey of 11 types of (mostly) online fraud victimization (
= 2,864). We used qualitative information from actual victims and near victims on why they didn't fall for the fraud, or how, in hindsight, it could have been prevented.
The main detection strategies mentioned by near victims (
= 958) were 1) fraud knowledge (69%): these near victims clearly recognized fraud. Other strategies related to fraud knowledge were: noticing mistakes (27.9%), rules and principles about safe conduct (11.7%), and personal knowledge (7.1%). A second type of strategy was distrust (26.1%). A third strategy was 'wise through experience' (1.6%). Finally, a limited number of respondents (7.8%) searched for additional information: they contacted other people (5.5%), sought information online (4%), contacted the fraudster (2.9%), contacted their bank or credit card company (2.2%), or contacted the police (0.2%). Using knowledge as a strategy decreases the probability of victimization by a factor of 0.43. In contrast, all other strategies increased the likelihood of victimization by a factor of 1.6 or more. Strategies generally were uncorrelated, several strategies differed by type of fraud. About 40% of the actual victims (
= 243) believed that their victimization might have been prevented by: 1) seeking information (25.2%), 2) paying more attention (18.9%), 3) a third party doing something (16.2%), 4) following safety rules or principles, like using a safer way of paying or trading (14.4%), or by 5) 'simply not going along with it' (10.8%). Most of these strategies were associated with a higher, not lower, likelihood of victimization.
Clearly, knowledge of fraud is the best strategy to avoid fraud victimization. Therefore, a more proactive approach is needed to inform the public about fraud and attackers' modus operandi, so that potential victims already have knowledge of fraud upon encountering it. Just providing information online will not suffice to protect online users.
Law enforcement agencies struggle with criminals using end-to-end encryption (E2EE). A recent policy paper states: “while encryption is vital and privacy and cyber security must be protected, that ...should not come at the expense of wholly precluding law enforcement”. The main argument is that E2EE hampers attribution and prosecution of criminals who rely on encrypted communication - ranging from drug syndicates to child sexual abuse material (CSAM) platforms. This statement - in policy circles dubbed ‘going dark’ - is not yet supported by empirical evidence. That is why, in our work, we analyse public court data from the Netherlands to show to what extent law enforcement agencies and the public prosecution service are impacted by the use of E2EE in bringing cases to court and their outcome. Our results show that in cases brought to court, the Dutch courts appear to be as successful in convicting offenders who rely on E2EE as those who do not. Our data do not permit us to draw conclusions on the effect of E2EE on criminal investigations.
Background: Many countries mandate transparency and consent when personal data are handled by online services. However, most users do not read privacy policies or cannot understand them. An important ...challenge for technical communicators is empowering users to manage their online privacy responsibly. Literature review: Research suggests that privacy visualizations may alleviate this problem, but existing approaches are incomplete and under-researched. Research questions: 1. How can we design a privacy rating that optimally empowers users with different levels of knowledge about and awareness of online privacy? 2. How do users react to such a privacy rating, in terms of usability, perceived usefulness, and trust in online services? Methodology: We developed Privacy Rating, a tool for mapping and visualizing the privacy of online services. The tool was subjected to user research (N = 30) focusing on usability, perceived usefulness, and effects on trust. To establish the effects on trust, participants were exposed to a website with either a positive or a negative privacy rating. Results: The Privacy Rating appeared to be usable and useful for lay users, and it had a significant effect on users' trust in the online service. Users indicated that they would like the visualization to become an established standard, preferably approved by an independent organization. Conclusions: The Privacy Rating is a user-friendly privacy visualization covering all relevant aspects of privacy. We aim to bring the tool to the market and make it a standard, ideally supported by an independent trustworthy organization.
SCADA (supervisory control and data acquisition) systems are used for controlling and monitoring industrial processes. We propose a methodology to systematically identify potential process-related ...threats in SCADA. Process-related threats take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the SCADA process. To detect such threats, we propose a semi-automated approach of log processing. We conduct experiments on a real-life water treatment facility. A preliminary case study suggests that our approach is effective in detecting anomalous events that might alter the regular process workflow.
Since it takes time and effort to put a new product or service on the market, one would like to predict whether it will be a success. In general this is not possible, but it is possible to follow ...best practices in order to maximize the chance of success. A smart contract is intended to encode business logic and is therefore at the heart of every new business on the Ethereum blockchain. We have investigated how to measure the success of smart contracts, and whether successful smart contracts have characteristics that less successful smart contracts lack. The appearance of a smart contract on a listing website such as Etherscan or StateoftheDapps is such a characteristic. In this paper, we present a three-pronged analysis of the relative success of listed smart contracts. First, we have used statistical analysis on the publicly visible transaction history of the Ethereum blockchain to determine that listed contracts are significantly more successful than their unlisted counterparts. Next, we have conducted a survey among more than 200 developers via an anonymous online survey about their experience with the listing process. A significant majority of respondents do not believe that listing a contract itself contributes to its success, but they believe that the extra attention that is typically paid in tandem with the listing process does contribute. Finally, based on the respondents' answers, we have drafted 10 recommendations for developers and validated them by submitting them to an international panel of experts.
Objectives
The aim of the current study is to explore to what extent an intervention reduces the effects of social engineering (e.g., the obtaining of access via persuasion) in an office environment. ...In particular, we study the effect of authority during a ‘social engineering’ attack.
Methods
Thirty-one different ‘
offenders
’ visited the offices of 118 employees and on the basis of a script, asked them to hand over their office keys. Authority, one of the six principles of persuasion, was used by half of the offenders to persuade a target to comply with his/her request. Prior to the visit, an intervention was randomly administered to half of the targets to increase their resilience against attempts by others to obtain their credentials.
Results
A total of 37.0 % of the employees who were exposed to the intervention surrendered their keys while 62.5 % of those who were not exposed to it handed them over. The intervention has a significant effect on compliance but the same was not the case for authority.
Conclusions
Awareness-raising about the dangers, characteristics, and countermeasures associated with social engineering proved to have a significant positive effect on neutralizing the attacker.
Privacy visualizations help users understand the privacy implications of using an online service. Privacy by Design guidelines provide generally accepted privacy standards for developers of online ...services. To obtain a comprehensive understanding of online privacy, we review established approaches, distill a unified list of 15 privacy attributes and rank them based on perceived importance by users and privacy experts. We then discuss similarities, explain notable differences, and examine trends in terms of the attributes covered. Finally, we show how our results provide a foundation for user-centric privacy visualizations, inspire best practices for developers, and give structure to privacy policies.
PDF
